Splunk Search

whitelist regex help with multiple strings

joesrepsolc
Communicator

Trying to build a rather simple inputs.conf (or so i thought) to grab two statis named files, and the last file has a date built in, so I want to get them all, and any new ones that get created moving forward. I only need help with the whitelist part of the inputs, but can't seem to figure out the combo to get this to work.

catalina.out
vpAppLogClient.log
localhost_access_log.2019-03-19.txt (this one changes everyday)

[monitor:///opt/web/tomcatA/logs]
index = web
sourcetype = tomcat_logs
disabled = 0
whitelist = /catalina.out$|/vpAppLogClient.log$|?????

Apprecaite the help everyone!!!

0 Karma
1 Solution

harsmarvania57
SplunkTrust
SplunkTrust

Hi,

Instead of creating multiple stanza, you can create single monitor input with regex. That regex will capture catalina.out , vpAppLogClient.log and localhost_access_log.YYYY-MM-DD.txt

inputs.conf

[monitor:///opt/web/tomcatA/logs]
index = web
sourcetype = tomcat_logs
disabled = 0
whitelist = (catalina\.out|vpAppLogClient\.log|localhost_access_log\.\d{4}\-\d{2}\-\d{2}\.txt)$

EDIT: Fixed typo

View solution in original post

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Hi,

Instead of creating multiple stanza, you can create single monitor input with regex. That regex will capture catalina.out , vpAppLogClient.log and localhost_access_log.YYYY-MM-DD.txt

inputs.conf

[monitor:///opt/web/tomcatA/logs]
index = web
sourcetype = tomcat_logs
disabled = 0
whitelist = (catalina\.out|vpAppLogClient\.log|localhost_access_log\.\d{4}\-\d{2}\-\d{2}\.txt)$

EDIT: Fixed typo

0 Karma

joesrepsolc
Communicator

Trying this now, but hoping that it works! Reading thru the regex you posted... interesting stuff.

Question: Why do I need the "(" and ")" parenthesis around the statement? I missed that on one of my attempts. I also missed the "$" at the end, but was doing that on the end of each file name. Hmmm. Clearly I don't know regex well enough.

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

In regex () is capturing groups but in this monitor stanza there is no difference if we use capturing group or non-capturing group (?:). I have used () because I am using OR | and ending with $ for all 3 files in common. $ is end of line

0 Karma

joesrepsolc
Communicator

Thanks for the quick response. And THIS WORKED. Super cool. Thank you everyone.

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Welcome 🙂

0 Karma

whrg
Motivator

Hello @joesrepsolc,

I think it is easier here to create multiple monitor stanzas without the whitelist option:

[monitor:///opt/web/tomcatA/logs/catalina.out]
index = web
...

[monitor:///opt/web/tomcatA/logs/vpAppLogClient.log]
index = web
...

[monitor:///opt/web/tomcatA/logs/localhost_access_log.*.txt]
index = web
...
0 Karma

joesrepsolc
Communicator

I am aware of doing it this way, but it does make the length/size of the inputs.conf file much larger and a little harder to manage. But I do appreciate the response. I really wanted to understand the REGEX component so I can utilize the whitelist function.

0 Karma
Get Updates on the Splunk Community!

New Cloud Intrusion Detection System Add-on for Splunk

In July 2022 Splunk released the Cloud IDS add-on which expanded Splunk capabilities in security and data ...

Happy CX Day to our Community Superheroes!

Happy 10th Birthday CX Day!What is CX Day? It’s a global celebration recognizing innovation and success in the ...

Check out This Month’s Brand new Splunk Lantern Articles

Splunk Lantern is a customer success center providing advice from Splunk experts on valuable data insights, ...